Popular New Releases in VPN
brook
v20220404
lantern
6.9.13
SoftEtherVPN
5.02.5180
tailscale
headscale
v0.15.0
Popular Libraries in VPN
by trailofbits 
python
24206 AGPL-3.0
Set up a personal VPN in the cloud
by StreisandEffect shell
22448 NOASSERTION
Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
by hwdsl2 shell
16278 NOASSERTION
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
by Nyr shell
13652 MIT
OpenVPN road warrior installer for Ubuntu, Debian, CentOS and Fedora
by txthinking go
12828 GPL-3.0
Brook is a cross-platform strong encryption and not detectable proxy. Zero-Configuration. Brook 是一个跨平台的强加密无特征的代理软件. 零配置.
by getlantern go
10710
Lantern官方版本下载 蓝灯 翻墙 代理 科学上网 外网 加速器 梯子 路由 lantern proxy vpn censorship-circumvention censorship gfw accelerator
by SoftEtherVPN c
8193 NOASSERTION
Cross-platform multi-protocol VPN software. Pull requests are welcome. The stable version is available at https://github.com/SoftEtherVPN/SoftEtherVPN_Stable.
by angristan shell
7820 MIT
Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
by hoochanlon python
7789
🍅 Git/AWS/Google 镜像 ,SS/SSR/VMESS节点,WireGuard,IPFS, DeepWeb,Capitalism 、行业研究报告的知识储备库
Trending New libraries in VPN
by tailscale go
7241 NOASSERTION
The easiest, most secure way to use WireGuard and 2FA.
by juanfont go
4158 BSD-3-Clause
An open source, self-hosted implementation of the Tailscale control server
by gravitl go
3749 NOASSERTION
Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
by tonarino rust
2978 MIT
A private network system that uses WireGuard under the hood.
by vpncn html
2776
2021中国翻墙软件VPN推荐以及避坑指南,稳定好用。对比SSR机场、蓝灯、WireGuard、V2ray、老王VPN、VPS搭建梯子等科学上网软件与方法,中国最新科学上网翻墙梯子VPN下载推荐。
by ndroi java
2067 MIT
安卓端一键解锁网易云音乐,无须 ROOT
by wiretrustee go
1899 BSD-3-Clause
Connect your devices into a single secure private WireGuard®-based mesh network.
by ViRb3 go
1804 MIT
🚤 Cross-platform, unofficial CLI for Cloudflare Warp
by WeeJeWel html
1268 NOASSERTION
The easiest way to run WireGuard VPN + Web-based Admin UI.
Top Authors in VPN
1
11 Libraries
4143
2
8 Libraries
3990
3
8 Libraries
263
4
8 Libraries
239
5
7 Libraries
1323
6
6 Libraries
915
7
5 Libraries
309
8
5 Libraries
4544
9
5 Libraries
126
10
5 Libraries
8308
1
11 Libraries
4143
2
8 Libraries
3990
3
8 Libraries
263
4
8 Libraries
239
5
7 Libraries
1323
6
6 Libraries
915
7
5 Libraries
309
8
5 Libraries
4544
9
5 Libraries
126
10
5 Libraries
8308
Trending Kits in VPN
Here are some of the famous NodeJs VPN Libraries. Some of the use cases of NodeJs VPN Libraries include:
- Securely accessing a private network over the internet.
- Creating a virtual private network (VPN).
- Bypassing internet censorship.
- Securing data in transit.
Node.js VPN libraries enable developers to create applications that use a virtual private network (VPN). These libraries provide functions for connecting to a VPN server, establishing secure tunnels, encrypting and decrypting data, and managing the connection. They can be used to create applications such as secure file sharing, remote access, and encrypted communication.
Let us look at the libraries in detail below.
node-vpn
- Easy-to-use API that makes it simple to set up and manage a secure VPN connection.
- Highly secure, utilizing strong encryption algorithms and offering secure tunneling protocols.
- Supports multiple platforms, including Windows, Mac, Linux, iOS, and Android.
Strong-VPN
- Supports a wide range of protocols, including OpenVPN, IKEv2, and SSTP.
- Fast and reliable server connections.
- Compatible with most major operating systems, including Windows, macOS, iOS, Android, and Linux.
node-openvpn
- Highly secure, as it uses the OpenVPN protocol.
- Highly configurable, allowing users to customize the setup for their specific needs.
- Supports both IPv4 and IPv6 addressing.
fried-fame
- Easy to get started quickly compared to other VPN libraries.
- Designed with security in mind, using the latest encryption algorithms and techniques.
- An open-source project, so anyone can contribute and benefit from the development.
vpngate
- Offers an extra security layer for your data and connection.
- Offers longer connection times and faster speeds than other nodejs VPN libraries.
- Reliable, as it is regularly updated with the latest security protocols.
expressvpn
- Offers unrestricted access to streaming services, social media, and websites.
- Features a kill switch and other advanced features to protect your data.
- Offers a 30-day money-back guarantee.
algo
- Allows you to customize different VPN profiles for different devices or locations.
- Is designed to leverage strong encryption algorithms and secure authentication methods.
- Allows you to choose which ports and protocols are used for your VPN connection.
strongswan
- More secure than other nodejs vpn libraries.
- Tested and audited by independent experts, and is used by many organizations.
- Easy to set up and configure, and can be used on multiple operating systems and devices.
Trending Discussions on VPN
Visual Studio Code "Error while fetching extensions. XHR failed"
.NET 6.0: new Blazor project throws Websocket error
How to Terraform Create and Validate AWS Certificate
Select value by text from a dynamic non select dropdown using Selenium Java
Accessing a private GKE cluster via Cloud VPN
How to solve Unity "Gradle build failed"?
Define Kafka ACL to limit topic creation
how to fix "Exception has occurred: SSLError HTTPSConnectionPool" in VS Code environment
How to reach host behind site-to-site VPN connection through peering VPC connection
Can AWS Lambda function call an endpoint over a VPN?
QUESTION
Visual Studio Code "Error while fetching extensions. XHR failed"
Asked 2022-Mar-13 at 12:38This problem started a few weeks ago, when I started using NordVPN on my laptop.
When I try to search for an extension and even when trying to download through the marketplace I get this error:
EDIT: Just noticed another thing that might indicate to what's causing the issue. When I open VSCode and go to developer tools I get this error messege (before even doing anything):
"(node:19368) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.(Use Code --trace-deprecation ... to show where the warning was created)"
The only partial solution I found so far was to manually download and install extensions.
I've checked similar question here and in other places online, but I didn't find a way to fix this. So far I've tried:
- Flushing my DNS cache and setting it to google's DNS server.
- Disabling the VPN on my laptop and restarting VS Code.
- Clearing the Extension search results.
- Disabling all the extensions currently running.
I'm using a laptop running Windows 10. Any other possible solutions I haven't tried?
ANSWER
Answered 2021-Dec-10 at 05:26December 10,2021.
I'm using vscode with ubuntu 20.04.
I came across the XHR errors from yesterday and could not install any extensions.
Googled a lot but nothing works.
Eventually I downloaded and installed the newest version of VSCode(deb version) and everything is fine now.
(I don't know why but maybe you can give it a try! Good Luck!)
QUESTION
.NET 6.0: new Blazor project throws Websocket error
Asked 2022-Feb-26 at 12:07I am running currently a webserver with ASP.NET Core 3.1 and a Blazor project. Recently when upgrading to .NET 6.0 I encountered (even with a blank Blazor project) some problems with a websocket error message in the browser only when deployed on my webserver (see message below).
Locally (on Windows 11 x64, VS 22 Preview 4) there are no error messages...
Webserver: Debian 10 x64, .NET 6.0 SDK installed, running on NGINX with websockets enabled (reverse proxy).
Do I miss out on something or is it a problem with the current state of .NET 6.0 and NGINX? I already tried to access the webpage locally on the debian server and the same error message occurs.
Help would be much appreciated!
Greetings!
Error messages within order:
1Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
21Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
31Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
3Information: (WebSockets transport) There was an error with the transport.
41Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
3Information: (WebSockets transport) There was an error with the transport.
4Error: Failed to start the transport 'WebSockets': Error: WebSocket failed to connect. The connection could not be found on the server, either the endpoint may not be a SignalR endpoint, the connection ID is not present on the server, or there is a proxy blocking WebSockets. If you have multiple servers check that sticky sessions are enabled.
51Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
3Information: (WebSockets transport) There was an error with the transport.
4Error: Failed to start the transport 'WebSockets': Error: WebSocket failed to connect. The connection could not be found on the server, either the endpoint may not be a SignalR endpoint, the connection ID is not present on the server, or there is a proxy blocking WebSockets. If you have multiple servers check that sticky sessions are enabled.
5Warning: Failed to connect via WebSockets, using the Long Polling fallback transport. This may be due to a VPN or proxy blocking the connection. To troubleshoot this, visit https://aka.ms/blazor-server-using-fallback-long-polling.
6ANSWER
Answered 2022-Feb-26 at 12:07Here is the solution described again, maybe a little bit more convenient:
To fix this problem, I changed in the site-configuration (/etc/nginx/sites-available) of nginx the following variables:
1Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
3Information: (WebSockets transport) There was an error with the transport.
4Error: Failed to start the transport 'WebSockets': Error: WebSocket failed to connect. The connection could not be found on the server, either the endpoint may not be a SignalR endpoint, the connection ID is not present on the server, or there is a proxy blocking WebSockets. If you have multiple servers check that sticky sessions are enabled.
5Warning: Failed to connect via WebSockets, using the Long Polling fallback transport. This may be due to a VPN or proxy blocking the connection. To troubleshoot this, visit https://aka.ms/blazor-server-using-fallback-long-polling.
6proxy_set_header Connection $connection_upgrade;
7to
1Information: Normalizing '_blazor' to 'http://192.168.178.35/_blazor'.
2blazor.server.js:1 WebSocket connection to 'ws://192.168.178.35/_blazor?id=wnPt_fXa9H4Jpia530vPWQ' failed:
3Information: (WebSockets transport) There was an error with the transport.
4Error: Failed to start the transport 'WebSockets': Error: WebSocket failed to connect. The connection could not be found on the server, either the endpoint may not be a SignalR endpoint, the connection ID is not present on the server, or there is a proxy blocking WebSockets. If you have multiple servers check that sticky sessions are enabled.
5Warning: Failed to connect via WebSockets, using the Long Polling fallback transport. This may be due to a VPN or proxy blocking the connection. To troubleshoot this, visit https://aka.ms/blazor-server-using-fallback-long-polling.
6proxy_set_header Connection $connection_upgrade;
7proxy_set_header Connection $http_connection;
8For me this solved the problem.
QUESTION
How to Terraform Create and Validate AWS Certificate
Asked 2022-Feb-21 at 10:17I am attempting to create and validate an AWS Certificate using Terraform by following the example from the Terraform documentation here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53
My Terraform file looks like:
1resource "aws_acm_certificate" "vpn_server" {
2 domain_name = "stuff.mine.com"
3
4 validation_method = "DNS"
5
6 tags = {
7 Name = "certificate"
8 Scope = "vpn_server"
9 Environment = "vpn"
10 }
11}
12
13resource "aws_acm_certificate_validation" "vpn_server" {
14 certificate_arn = aws_acm_certificate.vpn_server.arn
15
16 validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]
17
18 timeouts {
19 create = "2m"
20 }
21}
22
23resource "aws_route53_zone" "my_dns" {
24 name = "stuff.mine.com"
25
26 tags = {
27 name = "dns_zone"
28 }
29}
30
31
32resource "aws_route53_record" "my_dns_record_vpn_server" {
33 for_each = {
34 for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
35 name = dvo.resource_record_name
36 record = dvo.resource_record_value
37 type = dvo.resource_record_type
38 }
39 }
40
41 allow_overwrite = true
42 name = each.value.name
43 records = [each.value.record]
44 ttl = 60
45 type = each.value.type
46 zone_id = resource.aws_route53_zone.my_dns.zone_id
47}
48The problem is that when running terraform apply the Validation always reaches the time-out and fails with the error messages:
1resource "aws_acm_certificate" "vpn_server" {
2 domain_name = "stuff.mine.com"
3
4 validation_method = "DNS"
5
6 tags = {
7 Name = "certificate"
8 Scope = "vpn_server"
9 Environment = "vpn"
10 }
11}
12
13resource "aws_acm_certificate_validation" "vpn_server" {
14 certificate_arn = aws_acm_certificate.vpn_server.arn
15
16 validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]
17
18 timeouts {
19 create = "2m"
20 }
21}
22
23resource "aws_route53_zone" "my_dns" {
24 name = "stuff.mine.com"
25
26 tags = {
27 name = "dns_zone"
28 }
29}
30
31
32resource "aws_route53_record" "my_dns_record_vpn_server" {
33 for_each = {
34 for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
35 name = dvo.resource_record_name
36 record = dvo.resource_record_value
37 type = dvo.resource_record_type
38 }
39 }
40
41 allow_overwrite = true
42 name = each.value.name
43 records = [each.value.record]
44 ttl = 60
45 type = each.value.type
46 zone_id = resource.aws_route53_zone.my_dns.zone_id
47}
48aws_acm_certificate.vpn_server: Creating...
49aws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]
50aws_route53_zone.my_dns: Creating...
51aws_route53_zone.my_dns: Still creating... [10s elapsed]
52aws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]
53aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...
54aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]
55aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]
56aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]
57aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]
58aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]
59aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]
60aws_acm_certificate_validation.vpn_server: Creating...
61aws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]
62aws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]
63aws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]
64aws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]
65aws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]
66aws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]
67aws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]
68aws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]
69aws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]
70aws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]
71aws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]
72aws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]
73
74╷
75│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
76│
77│ with aws_acm_certificate_validation.vpn_server,
78│ on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":
79│ 61: resource "aws_acm_certificate_validation" "vpn_server" {
80│
81╵
82Can someone tell me what I am missing to get the Certificate Validation to complete?
ANSWER
Answered 2021-Aug-26 at 15:23The domain validation records need to be in a public zone that is properly delegated. So if you owned mine.com and then wanted to create a zone called stuff.mine.com then you would need to set NS records in mine.com for stuff.mine.com that points to the stuff.mine.com zone's NS servers which you aren't doing here and aren't using an already configured zone.
Without that, the records will be created in your zone but that zone isn't then properly delegated and so nothing will ever be able to resolve those records. You should be able to test this by attempting to resolve them yourself or using an external resolver tool such as MX Toolbox.
There's probably a lot to consider here but you might want to set up a zone that will contain the eventual records you want to create (so the record pointing to the web server/load balancer that you want the certificate for plus the ACM domain validation records) separately and then just refer to the zone by using the aws_route53_zone data source so your domain validation records are created there.
QUESTION
Select value by text from a dynamic non select dropdown using Selenium Java
Asked 2022-Feb-18 at 12:47I want to select value by text from a dynamic non select dropdown. I did some research and I found this code:
1WebElement element = driver.findElement(ByMapper.getBy(dropdown));
2element.click();
3List<WebElement> options = element.findElements(By.xpath("/html/body/div[1]/div[2]/div/div/div"));
4for (WebElement option : options){
5 if (option.getText().contains(text)){
6 option.click();
7 break;
8 }
9}
10Basically it put the dropdowns options into a List element, and run through in a for loop, and if the options contains text, click it and break the loop. However it is not working with this type of dropdown:
Snapshot:
Can you suggest what can I do?
Snapshot of Specific value:
Note: The page is only available via private vpn, so I cannot share it.
ANSWER
Answered 2022-Feb-18 at 12:47To select the value by text Teszt_5 from a dynamic non Select dropdown you can use the following locator strategies:
1WebElement element = driver.findElement(ByMapper.getBy(dropdown));
2element.click();
3List<WebElement> options = element.findElements(By.xpath("/html/body/div[1]/div[2]/div/div/div"));
4for (WebElement option : options){
5 if (option.getText().contains(text)){
6 option.click();
7 break;
8 }
9}
10String text = "Teszt_5";
11WebElement element = driver.findElement(ByMapper.getBy(dropdown));
12element.click();
13List<WebElement> options = element.findElements(By.xpath("//div[@class='mat-autocomplete-panel mat-autocomplete-visible ng-star-inserted' and starts-with(@aria-labelledby, 'mat-form-field-label')]//mat-option//span[@class='mat-option-text']"));
14for (WebElement option : options){
15 if (option.getText().contains(text)){
16 option.click();
17 break;
18 }
19}
20References
You can find a couple of relevant detailed discussions in:
QUESTION
Accessing a private GKE cluster via Cloud VPN
Asked 2022-Feb-10 at 15:52We have setup a GKE cluster using Terraform with private and shared networking:
Network configuration:
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16Cluster configuration:
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16resource "google_container_cluster" "gke_kube02" {
17 name = "kube02"
18 location = var.region
19
20 initial_node_count = var.gke_kube02_num_nodes
21
22 network = "projects/ninfrastructure/global/networks/net-10-23-0-0-16"
23 subnetwork = "projects/infrastructure/regions/europe-west3/subnetworks/int-kube02"
24
25 master_authorized_networks_config {
26 cidr_blocks {
27 display_name = "admin vpn"
28 cidr_block = "10.42.255.0/24"
29 }
30 cidr_blocks {
31 display_name = "monitoring server"
32 cidr_block = "10.42.4.33/32"
33 }
34 cidr_blocks {
35 display_name = "cluster nodes"
36 cidr_block = "10.23.5.0/24"
37 }
38 }
39
40 ip_allocation_policy {
41 cluster_secondary_range_name = "pods"
42 services_secondary_range_name = "services"
43 }
44
45 private_cluster_config {
46 enable_private_nodes = true
47 enable_private_endpoint = true
48 master_ipv4_cidr_block = "192.168.23.0/28"
49
50
51 }
52
53 node_config {
54 machine_type = "e2-highcpu-2"
55
56 tags = ["kube-no-external-ip"]
57 metadata = {
58 disable-legacy-endpoints = true
59 }
60
61 oauth_scopes = [
62 "https://www.googleapis.com/auth/logging.write",
63 "https://www.googleapis.com/auth/monitoring",
64 ]
65 }
66}
67The cluster is online and running fine. If I connect to one of the worker nodes i can reach the api using curl:
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16resource "google_container_cluster" "gke_kube02" {
17 name = "kube02"
18 location = var.region
19
20 initial_node_count = var.gke_kube02_num_nodes
21
22 network = "projects/ninfrastructure/global/networks/net-10-23-0-0-16"
23 subnetwork = "projects/infrastructure/regions/europe-west3/subnetworks/int-kube02"
24
25 master_authorized_networks_config {
26 cidr_blocks {
27 display_name = "admin vpn"
28 cidr_block = "10.42.255.0/24"
29 }
30 cidr_blocks {
31 display_name = "monitoring server"
32 cidr_block = "10.42.4.33/32"
33 }
34 cidr_blocks {
35 display_name = "cluster nodes"
36 cidr_block = "10.23.5.0/24"
37 }
38 }
39
40 ip_allocation_policy {
41 cluster_secondary_range_name = "pods"
42 services_secondary_range_name = "services"
43 }
44
45 private_cluster_config {
46 enable_private_nodes = true
47 enable_private_endpoint = true
48 master_ipv4_cidr_block = "192.168.23.0/28"
49
50
51 }
52
53 node_config {
54 machine_type = "e2-highcpu-2"
55
56 tags = ["kube-no-external-ip"]
57 metadata = {
58 disable-legacy-endpoints = true
59 }
60
61 oauth_scopes = [
62 "https://www.googleapis.com/auth/logging.write",
63 "https://www.googleapis.com/auth/monitoring",
64 ]
65 }
66}
67curl -k https://192.168.23.2
68{
69 "kind": "Status",
70 "apiVersion": "v1",
71 "metadata": {
72
73 },
74 "status": "Failure",
75 "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
76 "reason": "Forbidden",
77 "details": {
78
79 },
80 "code": 403
81}
82I also see a healthy cluster when using a SSH port forward:
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16resource "google_container_cluster" "gke_kube02" {
17 name = "kube02"
18 location = var.region
19
20 initial_node_count = var.gke_kube02_num_nodes
21
22 network = "projects/ninfrastructure/global/networks/net-10-23-0-0-16"
23 subnetwork = "projects/infrastructure/regions/europe-west3/subnetworks/int-kube02"
24
25 master_authorized_networks_config {
26 cidr_blocks {
27 display_name = "admin vpn"
28 cidr_block = "10.42.255.0/24"
29 }
30 cidr_blocks {
31 display_name = "monitoring server"
32 cidr_block = "10.42.4.33/32"
33 }
34 cidr_blocks {
35 display_name = "cluster nodes"
36 cidr_block = "10.23.5.0/24"
37 }
38 }
39
40 ip_allocation_policy {
41 cluster_secondary_range_name = "pods"
42 services_secondary_range_name = "services"
43 }
44
45 private_cluster_config {
46 enable_private_nodes = true
47 enable_private_endpoint = true
48 master_ipv4_cidr_block = "192.168.23.0/28"
49
50
51 }
52
53 node_config {
54 machine_type = "e2-highcpu-2"
55
56 tags = ["kube-no-external-ip"]
57 metadata = {
58 disable-legacy-endpoints = true
59 }
60
61 oauth_scopes = [
62 "https://www.googleapis.com/auth/logging.write",
63 "https://www.googleapis.com/auth/monitoring",
64 ]
65 }
66}
67curl -k https://192.168.23.2
68{
69 "kind": "Status",
70 "apiVersion": "v1",
71 "metadata": {
72
73 },
74 "status": "Failure",
75 "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
76 "reason": "Forbidden",
77 "details": {
78
79 },
80 "code": 403
81}
82❯ k get pods --all-namespaces --insecure-skip-tls-verify=true
83NAMESPACE NAME READY STATUS RESTARTS AGE
84kube-system event-exporter-gke-5479fd58c8-mv24r 2/2 Running 0 4h44m
85kube-system fluentbit-gke-ckkwh 2/2 Running 0 4h44m
86kube-system fluentbit-gke-lblkz 2/2 Running 0 4h44m
87kube-system fluentbit-gke-zglv2 2/2 Running 4 4h44m
88kube-system gke-metrics-agent-j72d9 1/1 Running 0 4h44m
89kube-system gke-metrics-agent-ttrzk 1/1 Running 0 4h44m
90kube-system gke-metrics-agent-wbqgc 1/1 Running 0 4h44m
91kube-system kube-dns-697dc8fc8b-rbf5b 4/4 Running 5 4h44m
92kube-system kube-dns-697dc8fc8b-vnqb4 4/4 Running 1 4h44m
93kube-system kube-dns-autoscaler-844c9d9448-f6sqw 1/1 Running 0 4h44m
94kube-system kube-proxy-gke-kube02-default-pool-2bf58182-xgp7 1/1 Running 0 4h43m
95kube-system kube-proxy-gke-kube02-default-pool-707f5d51-s4xw 1/1 Running 0 4h43m
96kube-system kube-proxy-gke-kube02-default-pool-bd2c130d-c67h 1/1 Running 0 4h43m
97kube-system l7-default-backend-6654b9bccb-mw6bp 1/1 Running 0 4h44m
98kube-system metrics-server-v0.4.4-857776bc9c-sq9kd 2/2 Running 0 4h43m
99kube-system pdcsi-node-5zlb7 2/2 Running 0 4h44m
100kube-system pdcsi-node-kn2zb 2/2 Running 0 4h44m
101kube-system pdcsi-node-swhp9 2/2 Running 0 4h44m
102So far so good. Then I setup the Cloud Router to announce the 192.168.23.0/28 network. This was successful and replicated to our local site using BGP. Running show route 192.168.23.2 displays the correct route is advertised and installed.
When trying to reach the API from the monitoring server 10.42.4.33 I just run into timeouts. All three, the Cloud VPN, the Cloud Router and the Kubernetes Cluster run in europe-west3.
When i try to ping one of the workers its working completely fine, so networking in general works:
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16resource "google_container_cluster" "gke_kube02" {
17 name = "kube02"
18 location = var.region
19
20 initial_node_count = var.gke_kube02_num_nodes
21
22 network = "projects/ninfrastructure/global/networks/net-10-23-0-0-16"
23 subnetwork = "projects/infrastructure/regions/europe-west3/subnetworks/int-kube02"
24
25 master_authorized_networks_config {
26 cidr_blocks {
27 display_name = "admin vpn"
28 cidr_block = "10.42.255.0/24"
29 }
30 cidr_blocks {
31 display_name = "monitoring server"
32 cidr_block = "10.42.4.33/32"
33 }
34 cidr_blocks {
35 display_name = "cluster nodes"
36 cidr_block = "10.23.5.0/24"
37 }
38 }
39
40 ip_allocation_policy {
41 cluster_secondary_range_name = "pods"
42 services_secondary_range_name = "services"
43 }
44
45 private_cluster_config {
46 enable_private_nodes = true
47 enable_private_endpoint = true
48 master_ipv4_cidr_block = "192.168.23.0/28"
49
50
51 }
52
53 node_config {
54 machine_type = "e2-highcpu-2"
55
56 tags = ["kube-no-external-ip"]
57 metadata = {
58 disable-legacy-endpoints = true
59 }
60
61 oauth_scopes = [
62 "https://www.googleapis.com/auth/logging.write",
63 "https://www.googleapis.com/auth/monitoring",
64 ]
65 }
66}
67curl -k https://192.168.23.2
68{
69 "kind": "Status",
70 "apiVersion": "v1",
71 "metadata": {
72
73 },
74 "status": "Failure",
75 "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
76 "reason": "Forbidden",
77 "details": {
78
79 },
80 "code": 403
81}
82❯ k get pods --all-namespaces --insecure-skip-tls-verify=true
83NAMESPACE NAME READY STATUS RESTARTS AGE
84kube-system event-exporter-gke-5479fd58c8-mv24r 2/2 Running 0 4h44m
85kube-system fluentbit-gke-ckkwh 2/2 Running 0 4h44m
86kube-system fluentbit-gke-lblkz 2/2 Running 0 4h44m
87kube-system fluentbit-gke-zglv2 2/2 Running 4 4h44m
88kube-system gke-metrics-agent-j72d9 1/1 Running 0 4h44m
89kube-system gke-metrics-agent-ttrzk 1/1 Running 0 4h44m
90kube-system gke-metrics-agent-wbqgc 1/1 Running 0 4h44m
91kube-system kube-dns-697dc8fc8b-rbf5b 4/4 Running 5 4h44m
92kube-system kube-dns-697dc8fc8b-vnqb4 4/4 Running 1 4h44m
93kube-system kube-dns-autoscaler-844c9d9448-f6sqw 1/1 Running 0 4h44m
94kube-system kube-proxy-gke-kube02-default-pool-2bf58182-xgp7 1/1 Running 0 4h43m
95kube-system kube-proxy-gke-kube02-default-pool-707f5d51-s4xw 1/1 Running 0 4h43m
96kube-system kube-proxy-gke-kube02-default-pool-bd2c130d-c67h 1/1 Running 0 4h43m
97kube-system l7-default-backend-6654b9bccb-mw6bp 1/1 Running 0 4h44m
98kube-system metrics-server-v0.4.4-857776bc9c-sq9kd 2/2 Running 0 4h43m
99kube-system pdcsi-node-5zlb7 2/2 Running 0 4h44m
100kube-system pdcsi-node-kn2zb 2/2 Running 0 4h44m
101kube-system pdcsi-node-swhp9 2/2 Running 0 4h44m
102[me@monitoring ~]$ ping 10.23.5.216
103PING 10.23.5.216 (10.23.5.216) 56(84) bytes of data.
10464 bytes from 10.23.5.216: icmp_seq=1 ttl=63 time=8.21 ms
10564 bytes from 10.23.5.216: icmp_seq=2 ttl=63 time=7.70 ms
10664 bytes from 10.23.5.216: icmp_seq=3 ttl=63 time=5.41 ms
10764 bytes from 10.23.5.216: icmp_seq=4 ttl=63 time=7.98 ms
108Googles Documentation gives no hit what could be missing. From what I understand the Cluster API should be reachable by now.
Does anyone know what could be missing and why the API is not reachable via VPN?
Thanks a lot for your help!
ANSWER
Answered 2022-Feb-10 at 15:52I have been missing the peering configuration documented here: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#cp-on-prem-routing
1resource "google_compute_subnetwork" "int_kube02" {
2 name = "int-kube02"
3 region = var.region
4 project = "infrastructure"
5 network = "projects/infrastructure/global/networks/net-10-23-0-0-16"
6 ip_cidr_range = "10.23.5.0/24"
7 secondary_ip_range {
8 range_name = "pods"
9 ip_cidr_range = "10.60.0.0/14" # 10.60 - 10.63
10 }
11 secondary_ip_range {
12 range_name = "services"
13 ip_cidr_range = "10.56.0.0/16"
14 }
15}
16resource "google_container_cluster" "gke_kube02" {
17 name = "kube02"
18 location = var.region
19
20 initial_node_count = var.gke_kube02_num_nodes
21
22 network = "projects/ninfrastructure/global/networks/net-10-23-0-0-16"
23 subnetwork = "projects/infrastructure/regions/europe-west3/subnetworks/int-kube02"
24
25 master_authorized_networks_config {
26 cidr_blocks {
27 display_name = "admin vpn"
28 cidr_block = "10.42.255.0/24"
29 }
30 cidr_blocks {
31 display_name = "monitoring server"
32 cidr_block = "10.42.4.33/32"
33 }
34 cidr_blocks {
35 display_name = "cluster nodes"
36 cidr_block = "10.23.5.0/24"
37 }
38 }
39
40 ip_allocation_policy {
41 cluster_secondary_range_name = "pods"
42 services_secondary_range_name = "services"
43 }
44
45 private_cluster_config {
46 enable_private_nodes = true
47 enable_private_endpoint = true
48 master_ipv4_cidr_block = "192.168.23.0/28"
49
50
51 }
52
53 node_config {
54 machine_type = "e2-highcpu-2"
55
56 tags = ["kube-no-external-ip"]
57 metadata = {
58 disable-legacy-endpoints = true
59 }
60
61 oauth_scopes = [
62 "https://www.googleapis.com/auth/logging.write",
63 "https://www.googleapis.com/auth/monitoring",
64 ]
65 }
66}
67curl -k https://192.168.23.2
68{
69 "kind": "Status",
70 "apiVersion": "v1",
71 "metadata": {
72
73 },
74 "status": "Failure",
75 "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
76 "reason": "Forbidden",
77 "details": {
78
79 },
80 "code": 403
81}
82❯ k get pods --all-namespaces --insecure-skip-tls-verify=true
83NAMESPACE NAME READY STATUS RESTARTS AGE
84kube-system event-exporter-gke-5479fd58c8-mv24r 2/2 Running 0 4h44m
85kube-system fluentbit-gke-ckkwh 2/2 Running 0 4h44m
86kube-system fluentbit-gke-lblkz 2/2 Running 0 4h44m
87kube-system fluentbit-gke-zglv2 2/2 Running 4 4h44m
88kube-system gke-metrics-agent-j72d9 1/1 Running 0 4h44m
89kube-system gke-metrics-agent-ttrzk 1/1 Running 0 4h44m
90kube-system gke-metrics-agent-wbqgc 1/1 Running 0 4h44m
91kube-system kube-dns-697dc8fc8b-rbf5b 4/4 Running 5 4h44m
92kube-system kube-dns-697dc8fc8b-vnqb4 4/4 Running 1 4h44m
93kube-system kube-dns-autoscaler-844c9d9448-f6sqw 1/1 Running 0 4h44m
94kube-system kube-proxy-gke-kube02-default-pool-2bf58182-xgp7 1/1 Running 0 4h43m
95kube-system kube-proxy-gke-kube02-default-pool-707f5d51-s4xw 1/1 Running 0 4h43m
96kube-system kube-proxy-gke-kube02-default-pool-bd2c130d-c67h 1/1 Running 0 4h43m
97kube-system l7-default-backend-6654b9bccb-mw6bp 1/1 Running 0 4h44m
98kube-system metrics-server-v0.4.4-857776bc9c-sq9kd 2/2 Running 0 4h43m
99kube-system pdcsi-node-5zlb7 2/2 Running 0 4h44m
100kube-system pdcsi-node-kn2zb 2/2 Running 0 4h44m
101kube-system pdcsi-node-swhp9 2/2 Running 0 4h44m
102[me@monitoring ~]$ ping 10.23.5.216
103PING 10.23.5.216 (10.23.5.216) 56(84) bytes of data.
10464 bytes from 10.23.5.216: icmp_seq=1 ttl=63 time=8.21 ms
10564 bytes from 10.23.5.216: icmp_seq=2 ttl=63 time=7.70 ms
10664 bytes from 10.23.5.216: icmp_seq=3 ttl=63 time=5.41 ms
10764 bytes from 10.23.5.216: icmp_seq=4 ttl=63 time=7.98 ms
108resource "google_compute_network_peering_routes_config" "peer_kube02" {
109 peering = google_container_cluster.gke_kube02.private_cluster_config[0].peering_name
110 project = "infrastructure"
111 network = "net-10-13-0-0-16"
112
113 export_custom_routes = true
114 import_custom_routes = false
115}
116
117QUESTION
How to solve Unity "Gradle build failed"?
Asked 2022-Jan-12 at 04:34When I tried build Unity project for Android, it reported "Gradle build failed". I tried using VPN and using another repository(based in China where the Gradle connection is not working well), but still the same errors.
I checked the log(see following), one line says it tries to "Connect to 192.168.1.4:1125 [/192.168.1.4]", which seems suspicious. My building PC is 192.168.1.2, and it's connected directly to a fiber optic modem, which is 192.168.1.1. The 192.168.1.4 is another wifi modem connected to the fiber optic modem, and it should has nothing to do with my PC's internet connection.
Why does Unity try connecting a device that's not related when building Gradle? Any suggestions on how to solve this building failure? Thank you!
1A problem occurred configuring project ':launcher'.
2
3> Could not resolve all artifacts for configuration ':launcher:classpath'.
4
5> Could not resolve com.android.tools.build:gradle:4.0.1.
6
7Required by:
8
9project :launcher
10
11> Could not resolve com.android.tools.build:gradle:4.0.1.
12
13> Could not get resource '404'.
14
15> Could not GET '404'.
16
17> Connect to 192.168.1.4:1125 [/192.168.1.4] failed: Connection timed out: connect
18modified baseProjectTemplate:
ANSWER
Answered 2022-Jan-12 at 04:34I've solved it. Find the "gradle.properties" file at "C:\Users\xxx\.gradle", comment out the systemProp.xxxx like this:
QUESTION
Define Kafka ACL to limit topic creation
Asked 2021-Dec-30 at 07:35We are currently running an unsecured Kafka setup on AWS MSK (so I don't have access to most config files directly and need to use the kafka-cli) and are looking into ways to add protection. Setting up TLS & SASL is easy, though as our Kafka cluster is behind a VPN and already has restricted access does not add more security.
We want to start with the most important and in our opinion quick win security addition. Protect topics from being deleted (and created) by all users.
We currently have allow.everyone.if.no.acl.found set to true.
All I find on Google or Stack Overflow shows me how I can restrict users from reading/writing to other topics than they have access to. Though Ideally that is not what we want to implement as a first step.
I have found things about a root-user (Is an admin user, though was called root in all tutorials I read). Though the examples I have found don't show examples of adding an ACL to this root user to make it the only one accessible, the topic deletion/creation.
Can you please explain how to create a user that, and block all other users?
By the way, we also don't use zookeeper, even though an MSK-cluster ads this per default. And hope we can do this without adding zookeeper actively to our stack. The answer given here hardly relies on zookeeper. Also, this answer points to the topic read/write examples only, even though the question was the same as I am asking
ANSWER
Answered 2021-Dec-21 at 10:11I'd like to start with a disclaimer that I'm personally not familiar with AWS MSK offering in great detail so this answer is largely based on my understanding of the open source distribution of Apache Kafka.
First - The Kafka ACLs are actually stored in Zookeeper by default so if you're not using Zookeeper, it might be worth adding this if you're not using it.
Reference - Kafka Definitive Guide - 2nd edition - Chapter 11 - Securing Kafka - Page 294
Second - If you're using SASL for authentication through any of the supported mechanisms such as GSSAPI (Kerberos), then you'll need to create a principal as you would normally create one and use one of the following options:
Add the required permissions for topic creation/deletion etc. using the
kafka-aclscommand (Command Reference)bin/kafka-acls.sh --add --cluster --operation Create --authorizer-properties zookeeper.connect=localhost:2181 --allow-principal User:adminNote -
adminis the assumed principal nameOr add
adminuser to the super users list inserver.propertiesfile by adding the following line so it has unrestricted access on all resourcessuper.users=User:AdminAny more users can be added in the same line delimited by
;.
To add the strictness, you'll need to set allow.everyone.if.no.acl.found to false so any access to any resources is only granted by explicitly adding these permissions.
Third - As you've asked specifically about your root user, I'm assuming you're referring to the linux root here. You could just restrict the linux level permissions using chmod command for the kafka-acls.sh script but that is quite a crude way of achieving what you need. I'm also not entirely sure if this is doable in MSK or not.
QUESTION
how to fix "Exception has occurred: SSLError HTTPSConnectionPool" in VS Code environment
Asked 2021-Dec-25 at 18:40i try to use python requests library but i got this error
i use psiphon VPN most of time in Windows 10
and got this below error after calling requests.get('[API URL]')
1Exception has occurred: SSLError
2HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /user (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)')))
3
4During handling of the above exception, another exception occurred:
5
6
7During handling of the above exception, another exception occurred:
8
9 File "C:\Users\Hessam\Desktop\QWE.py", line 3, in <module>
10 r = requests.get('https://api.github.com/user', auth=('user', 'pass'))
11ANSWER
Answered 2021-Dec-25 at 18:40You should try to add verify=False to your request:
1Exception has occurred: SSLError
2HTTPSConnectionPool(host='api.github.com', port=443): Max retries exceeded with url: /user (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)')))
3
4During handling of the above exception, another exception occurred:
5
6
7During handling of the above exception, another exception occurred:
8
9 File "C:\Users\Hessam\Desktop\QWE.py", line 3, in <module>
10 r = requests.get('https://api.github.com/user', auth=('user', 'pass'))
11import requests
12r = requests.get('https://api.github.com/user', verify=False)
13requests verifies SSL certificates for HTTPS requests, just like a web browser. By default, SSL verification is enabled, and requests will throw an SSLError if it’s unable to verify the certificate.
In your specific case, you most likely have a problem with the SSL certificate on your VPN.
Note that when verify is set to False, requests will accept any TLS certificate presented by the server, and will ignore hostname mismatches and/or expired certificates, which will make your application vulnerable to man-in-the-middle (MitM) attacks. Setting verify to False may be useful during local development or testing.
QUESTION
How to reach host behind site-to-site VPN connection through peering VPC connection
Asked 2021-Dec-18 at 01:22I actually have following situation:
I successfully reach host C from Host A using VPN static routes. I need now to reach it from host B. I thought to create a route table from VPC B that forward request with ip/32 of host C through Peering connection... But it doesn't work.
There is a way to do that?
N.B. I cannot use Transit Gateway
Thanks!
ANSWER
Answered 2021-Dec-17 at 10:14I need now to reach it from host B.
You can't do this. VPC peering is not transitive. You can setup VPC connection to VPC B as well instead.
QUESTION
Can AWS Lambda function call an endpoint over a VPN?
Asked 2021-Dec-16 at 21:30I'm using an SMS sending service provided by a local mobile carrier. The carrier enforces clients to connect to their datacentre over a VPN in order to reach their endpoints. The VPN tunnel must always be kept open (i.e. not on demand).
Currently, I'm using a micro EC2 instance that acts as middleware between my main production server (also an EC2 instance) and the carrier endpoint.
Production Server --> My SMS Server --over VPN--> Carrier SMS Server
Is there a way to replace my middleware server with an AWS Lambda function that sends HTTP requests to the carrier over an always-on VPN tunnel?
Also, can an AWS Lambda function maintain a static IP? The carrier has to place my IP in their whitelist before I can use their service.
ANSWER
Answered 2021-Dec-16 at 21:30s2svpn would be great but my question is can a lambda function HTTP request route through that connection?
Sure. Lambdas can have a VPC subnet attached. It's a matter of configuring the subnet routing table / VPN configuration to route the traffic to the carrier through the VPN endpoint.
Also, can an AWS Lambda function maintain a static IP?
No. Depends. A VPC-attached Lambda will create an eni (network interface) in the subnet with internal (not fixed) subnet iP address. But the traffic can be routed though a fixed NAT or a VPN gateway.
That's the reason I asked which IP address needs to be fixed, on what level. The VPN has a fixed IP address. If the carrier enforces the VPN address whitelisting, lambda clients should be working. If a fixed IP of the internal network is required then you will need a fixed network interface (e.g. using EC2)
Community Discussions contain sources that include Stack Exchange Network
Tutorials and Learning Resources in VPN
Tutorials and Learning Resources are not available at this moment for VPN
Share this Page
Get latest updates on VPN